The Securities and Exchange Commission (“SEC”) recently penalized a public company for violating U.S. economic sanctions. The violation cited the “books and records” and “internal controls” provisions of Securities Exchange Act of 1934 (the “Exchange Act”). With this unprecedented action, the SEC has put companies on notice that the Department of Justice (the “DOJ”) and the Office of Foreign Assets Control (“OFAC”) are not the only sanctions enforcers in Washington.


It is well known that under Sections 13(b)(2)(A) and 13(b)(2)(B) of the Exchange Act – enacted as part of the Foreign Corrupt Practices Act (“FCPA”) – public companies must keep accurate books and records and maintain internal controls sufficient to ensure that transactions are executed in accordance with management directives and accurately recorded for reporting in the company’s financial statements. The SEC often cites public companies for violations of these provisions in cases involving allegations of foreign bribery. In this context, the SEC often will assert that a public company violated these provisions by disguising the illicit transactions in its books and records and by failing to maintain internal controls capable of detecting and preventing such transactions.

In its recent action against Quad/Graphics (“Quad”), the SEC broke new ground, finding that a public company violated these provisions not only through a foreign bribery scheme, but also through a scheme to evade longstanding United States sanctions against Cuba. In so doing, the SEC has stepped into an area of enforcement traditionally occupied by the DOJ and OFAC. It remains to be seen whether this expansion of SEC authority will be limited to sanctions, or may extend to other areas of financial crime, such as money laundering.

The SEC Order

On September 26, 2019, the SEC issued an Order instituting a settled cease-and-desist proceeding against Quad, a public company focused on printing and desktop publishing. According to the Order, in 2010 Quad purchased World Color Press Inc. (“World Color”), resulting in the acquisition of numerous foreign subsidiaries in several high-risk jurisdictions. At the time, the SEC found, Quad’s global compliance program was inadequate, and Quad had “failed to implement sufficient internal accounting controls or anti-corruption policies and procedures and failed to conduct meaningful due diligence on third parties.” Id. at 2. As a result, its newly acquired foreign subsidiaries were able to engage in various unlawful schemes, including paying bribes to government officials and judges in Peru, paying bribes to officials in China, and, notably, evading U.S. sanctions against Cuba. Id.

The sanctions violations stemmed from World Color’s longstanding relationship with a state-owned telecommunications company in Cuba, ETECSA. Id. at 8. At the time of the purchase, World Color provided telephone directories to ETECSA. After Quad acquired World Color, Quad employees conspired to maintain the relationship by routing the directories through a third-party vendor, and falsifying the profits earned in the company’s books and records. Id. Shortly after the acquisition, Quad Peru signed a contract to continue providing ETECSA with directories, and shipped the directories in 2011. Id. at 8-9.

To conceal the sales, Quad Peru employees made it appear that the directories were purchased by a Peruvian agent. Quad would print the directories, ship them to the agent, and the agent would ship the directories to Cuba. Id. at 9. The SEC determined that “the Peruvian Agent was not a true customer but a pass through company used to conceal Quad’s sales of telephone directories to Cuba.” Id. The business continued through October 2013. Id. The Order reflects that at one point, Quad executives in the United States learned of the sales to Cuba, but failed to “put adequate internal accounting controls and trade compliance measures in place to ensure” that no further transactions occurred. Id. at 10. The SEC Staff concluded that revenue from the sales was “illegal” and was “falsely recorded” in Quad’s books and records “as a sale to the Peruvian agent.”

Based on the aggregate conduct, the SEC found that Quad violated, among other things, the “books and records” and internal controls provisions of the FCPA. Quad agreed to cease-and-desist from further violations of the federal securities laws, to pay $7.4 million in disgorgement and prejudgment interest, and to pay a civil penalty of $2 million. Id. at 14. Quad also agreed to conduct two compliance reviews over a one-year period, and submit two formal reports to the SEC Staff.  Id. at 13.

Why this Order is Important

The Order marks a rare foray by the SEC into the enforcement of U.S. sanctions. The fact that it did so in this case is all the more remarkable because the Department of Justice publicly declined to prosecute Quad, and, in its declination letter, made no reference to the alleged sanctions violations.

At this point, it is unclear if the SEC’s use of the books-and-records and internal controls provisions of the Exchange Act to punish the evasion of United States sanctions is a one-time occurrence, or the signal of a new trend in sanctions enforcement against public companies. What is clear from the Quad Order is that the SEC is exploring new avenues to police issuers and other parties under its supervision. If the SEC will exercise authority over sanctions violations, it is entirely possible that it will investigate other financial compliance failures by issuers, broker-dealers, and investment advisers. For example, the SEC may consider whether an inadequate anti-money laundering compliance program could give rise to an internal controls violation or a violation of the SEC’s investor disclosure requirements.

The Quad Order also underscores the importance of conducting robust and thorough pre-acquisition due diligence that holistically covers financial crime risks—from corruption to fraud to money laundering to sanctions violations. Issuers, broker-dealers, and investment advisers must also carefully assess existing and potential customers for compliance shortcomings and overall risk, and develop a robust compliance function to mitigate financial crime exposure. Entities that fail to take these steps may risk becoming the next target of an expansive SEC enforcement regime.